CVE-2025-38449
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38449
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38449.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38449
- Downstream
- Related
- Published
- 2025-07-25T16:15:30Z
- Modified
- 2025-08-13T12:49:55.708132Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
drm/gem: Acquire references on GEM handles for framebuffers
A GEM handle can be released while the GEM buffer object is attached to a DRM framebuffer. This leads to the release of the dma-buf backing the buffer object, if any. [1] Trying to use the framebuffer in further mode-setting operations leads to a segmentation fault. Most easily happens with driver that use shadow planes for vmap-ing the dma-buf during a page flip. An example is shown below.
[ 156.791968] ------------[ cut here ]------------ [ 156.796830] WARNING: CPU: 2 PID: 2255 at drivers/dma-buf/dma-buf.c:1527 dmabufvmap+0x224/0x430 [...] [ 156.942028] RIP: 0010:dmabufvmap+0x224/0x430 [ 157.043420] Call Trace: [ 157.045898] <TASK> [ 157.048030] ? showtraceloglvl+0x1af/0x2c0 [ 157.052436] ? showtraceloglvl+0x1af/0x2c0 [ 157.056836] ? showtraceloglvl+0x1af/0x2c0 [ 157.061253] ? drmgemshmemvmap+0x74/0x710 [ 157.065567] ? dmabufvmap+0x224/0x430 [ 157.069446] ? _warn.cold+0x58/0xe4 [ 157.073061] ? dmabufvmap+0x224/0x430 [ 157.077111] ? reportbug+0x1dd/0x390 [ 157.080842] ? handlebug+0x5e/0xa0 [ 157.084389] ? excinvalidop+0x14/0x50 [ 157.088291] ? asmexcinvalidop+0x16/0x20 [ 157.092548] ? dmabufvmap+0x224/0x430 [ 157.096663] ? dmaresvgetsingleton+0x6d/0x230 [ 157.101341] ? _pfxdmabufvmap+0x10/0x10 [ 157.105588] ? _pfxdmaresvgetsingleton+0x10/0x10 [ 157.110697] drmgemshmemvmap+0x74/0x710 [ 157.114866] drmgemvmap+0xa9/0x1b0 [ 157.118763] drmgemvmapunlocked+0x46/0xa0 [ 157.123086] drmgemfbvmap+0xab/0x300 [ 157.126979] drmatomichelperprepareplanes.part.0+0x487/0xb10 [ 157.133032] ? lockdepinitmaptype+0x19d/0x880 [ 157.137701] drmatomichelpercommit+0x13d/0x2e0 [ 157.142671] ? drmatomicnonblockingcommit+0xa0/0x180 [ 157.147988] drmmodeatomic_ioctl+0x766/0xe40 [...] [ 157.346424] ---[ end trace 0000000000000000 ]---
Acquiring GEM handles for the framebuffer's GEM buffer objects prevents this from happening. The framebuffer's cleanup later puts the handle references.
Commit 1a148af06000 ("drm/gem-shmem: Use dma_buf from GEM object instance") triggers the segmentation fault easily by using the dma-buf field more widely. The underlying issue with reference counting has been present before.
v2: - acquire the handle instead of the BO (Christian) - fix comment style (Christian) - drop the Fixes tag (Christian) - rename err_ gotos - add missing Link tag
- References
-
- https://git.kernel.org/stable/c/08480e285c6a82ce689008d643e4a51db0aaef8b
- https://git.kernel.org/stable/c/3cf520d9860d4ec9f7f32068825da31f18dd3f25
- https://git.kernel.org/stable/c/5307dce878d4126e1b375587318955bd019c3741
- https://git.kernel.org/stable/c/cb4c956a15f8b7f870649454771fc3761f504b5f
- https://security-tracker.debian.org/tracker/CVE-2025-38449
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
5.*
6.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected